b"         OFFICE OF INSPECTOR GENERAL \n\n\n\n\n                                 Catalyst for Improving the Environment\n\n\nAudit Report\n\n\n\n\n       Information Security Series:\n       Security Practices\n\n       Comprehensive Environmental\n       Response, Compensation, and\n       Liability Information System\n       Report No. 2006-P-00019\n\n       March 28, 2006\n\x0cReport Contributors:      Rudolph M. Brevard\n                          Charles Dade\n                          Neven Morcos\n                          Jefferson Gilkeson\n                          Scott Sammons\n\n\n\n\nAbbreviations\n\nASSERT       Automated Security Self-Evaluation and Remediation Tracking\nC&A          Certification and Accreditation\nCERCLIS      Comprehensive Environmental Response, Compensation, and Liability\n             Information System\nEPA          U.S. Environmental Protection Agency\nFISMA        Federal Information Security Management Act\nNCC          National Computer Center\nOIG          Office of Inspector General\nOMB          Office of Management and Budget\nOSWER        Office of Solid Waste and Emergency Response\nPOA&M        Plan of Action and Milestones\nRTP          Research Triangle Park\n\x0c                       U.S. Environmental Protection Agency                                                2006-P-00019\n\n                       Office of Inspector General                                                        March 28, 2006\n\n\n\n\n\n                       At a Glance\n                                                                           Catalyst for Improving the Environment\n\nWhy We Did This Review              Information Security Series: Security Practices\nAs part of our annual audit of\n                                    Comprehensive Environmental Response,\nthe Environmental Protection        Compensation, and Liability Information System\nAgency\xe2\x80\x99s compliance with the\nFederal Information Security        What We Found\nManagement Act (FISMA), we\nreviewed the security practices     The Office of Solid Waste and Emergency Response\xe2\x80\x99s (OSWER\xe2\x80\x99s) implemented\nfor a sample of key Agency          practices to ensure production servers were being monitored for known\ninformation systems, including      vulnerabilities and personnel with significant security responsibility completed the\nthe Comprehensive                   Agency\xe2\x80\x99s recommended specialized security training. However, we found that\nEnvironmental Response,             OSWER\xe2\x80\x99s CERCLIS, a major application, was operating without a current (1)\nCompensation, and Liability         certification and accreditation package and (2) contingency plan or testing of the\nInformation System                  plan. OSWER officials could have discovered the noted deficiencies had they\n(CERCLIS).                          implemented practices to ensure these Federal and Agency information security\n                                    requirements were followed. As a result, CERCLIS had security control weaknesses\nBackground                          that could effect OSWER\xe2\x80\x99s operations, assets, and personnel.\n\nFISMA requires agencies to          What We Recommend\ndevelop policies and\nprocedures commensurate with        We recommend that the CERCLIS System Owner:\nthe risk and magnitude of harm\nresulting from the malicious or     \xc2\xbe\t Conduct an independent review of security controls and a full formal risk\nunintentional damage to the            assessment of CERCLIS and update the certification and accreditation package in\nAgency\xe2\x80\x99s information assets.           accordance with Federal and Agency requirements,\nCERCLIS provides critical\ninformation in support of the       \xc2\xbe\t Conduct a test of the updated CERCLIS contingency plan, and\nSuperfund program (a Federal\nmandate to clean up the             \xc2\xbe\t Develop a Plan of Action and Milestones in the Agency\xe2\x80\x99s security weakness\nNation\xe2\x80\x99s uncontrolled                  tracking system (ASSERT database) for all noted deficiencies.\nhazardous waste sites).\n                                    We recommend that the OSWER Information Security Officer:\n\n                                    \xc2\xbe\t Conduct a review of OSWER\xe2\x80\x99s current information security oversight processes\n                                       and implement identified process improvements.\nFor further information, contact\nour Office of Congressional and     OSWER agreed with the report\xe2\x80\x99s findings and has indicated that it has updated the\nPublic Liaison at (202) 566-2391.\n                                    CERCLIS security plan and re-authorized the application. OSWER officials also\nTo view the full report,            indicated that they updated the CERCLIS contingency plan and conducted a tabletop\nclick on the following link:        exercise of the updated plan. OSWER\xe2\x80\x99s complete response in included at\nwww.epa.gov/oig/reports/2006/       Appendix A.\n20060328-2006-P-00019.pdf\n\x0c                      UNITED STATES ENVIRONMENTAL PROTECTION AGENCY\n                                   WASHINGTON, D.C. 20460\n\n\n\n                                                                                        OFFICE OF\n                                                                                   INSPECTOR GENERAL\n\n\n\n\n                                          March 28, 2006\n\nMEMORANDUM\n\nSUBJECT: \t             Information Security Series: Security Practices\n                       Comprehensive Environmental Response, Compensation, and Liability\n                       Information System\n                       Report No. 2006-P-00019\n\nFROM: \t                Rudolph M. Brevard /s/\n                       Director, Information Technology Audits\n\nTO:        \t           Susan Parker Bodine\n                       Assistant Administrator for Solid Waste and Emergency Response\n\n\nThis is our final report on the information security controls audit of the Office of Solid Waste\nand Emergency Response\xe2\x80\x99s Comprehensive Environmental Response, Compensation, and\nLiability Information System. This audit report contains findings that describe problems the\nOffice of Inspector General (OIG) has identified and corrective actions the OIG recommends.\nThis audit report represents the opinion of the OIG, and the findings in this audit report do not\nnecessarily represent the final U.S. Environmental Protection Agency (EPA) position. EPA\nmanagers, in accordance with established EPA audit resolution procedures, will make final\ndeterminations on matters in this audit report.\n\nAction Required\n\nIn accordance with EPA Manual 2750, you are required to provide a written response to this\nreport within 90 calendar days of the date of this report. You should include a corrective action\nplan for agreed upon actions, including milestone dates. We have no objection to further release\nof this report to the public. For your convenience, this report will be available at\nhttp://www.epa.gov/oig.\n\nIf you or your staff have any questions regarding this report, please contact me at\n(202) 566-0893.\n\x0c                                       Table of Contents \n\nAt a Glance\n\nPurpose of Audit\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6...                                                                                       1\n\nBackground\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6                                                                                             1\n\nScope and Methodology .....................................................................................................              2\n\nCERCLIS\xe2\x80\x99 Compliance with Federal and Agency Security Requirements ....................                                                   3\n\n     Certification and Accreditation \xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.. .............................................................                             4\n     Contingency Planning \xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.                                                                                  4\n\nRecommendations...............................................................................................................           5\n\nAgency Comments and OIG Evaluation ............................................................................                          5\n\n\n\nAppendices\nA     Agency Response to Draft Report .............................................................................                      6    \n\n\nB     Distribution ...................................................................................................................   9\n\n\x0cPurpose of Audit\n          Our objective was to determine whether the Office of Solid Waste and Emergency\n          Response\xe2\x80\x99s (OSWER\xe2\x80\x99s) Comprehensive Environmental Response,\n          Compensation, and Liability Information System (CERCLIS) complied with\n          Federal and Agency information system security requirements. CERCLIS\n          provides critical information and processing in support of the Superfund program\n          (a Federal mandate to clean up the nation\xe2\x80\x99s uncontrolled hazardous waste sites).\n\nBackground\n          We conducted this audit pursuant to Title III of the E-Government Act of 2002,\n          commonly referred to as the Federal Information Security Management Act\n          (FISMA). FISMA requires the Agency to develop policies and procedures\n          commensurate with the risk and magnitude of harm resulting from the malicious\n          or unintentional damage to the Agency\xe2\x80\x99s information assets. EPA\xe2\x80\x99s Chief\n          Information Officer is responsible for establishing and overseeing an Agency-\n          wide program to ensure that the security of its network infrastructure is consistent\n          with these requirements. Program offices are responsible for managing the\n          implementation of these security requirements within their respective\n          organizations.\n\n          Program offices should create a Plan of Action and Milestones (POA&M) when it\n          identifies a security control weakness. The POA&M, which documents the\n          planned remediation process, is recorded in the Agency\xe2\x80\x99s Automated Security\n          Self-Evaluation and Remediation Tracking (ASSERT) tool. ASSERT is used to\n          centrally track remediation of weaknesses associated with information systems\n          and serves as the Agency\xe2\x80\x99s official record for POA&M activity.\n\n          FISMA requires the Inspector General, along with the EPA Administrator, to\n          report annually to the Office of Management and Budget (OMB) the status of\n          EPA\xe2\x80\x99s information security program. The OIG provided the results of its review\n          to OMB in Report No. 2006-S-00001, Federal Information Security Management\n          Act, Fiscal Year 2005 Status of EPA\xe2\x80\x99s Computer Security Program, issued\n          October 3, 2005.\n\n          During our annual FISMA review, we selected one major application from each\n          of five EPA program offices and reviewed the security practices surrounding\n          those applications. Our review noted instances where EPA could improve its\n          security practices overall and the OIG reported the results to EPA\xe2\x80\x99s Chief\n          Information Officer in Report No. 2006-P-00002, EPA Could Improve Its\n          Information Security by Strengthening Verification and Validation Processes,\n          issued October 17, 2005.\n\n          This audit report is one in a series of reports being issued to the five program\n          offices that had an application reviewed. This report addresses findings and\n\n                                            1\n\n\x0c         recommendations related to information security practice weaknesses identified in\n         OSWER. In particular, this report summarizes our results regarding how\n         OSWER implemented Federal and EPA information security requirements. This\n         report also includes our evaluation of how OSWER implemented, tested, and\n         evaluated information security controls to ensure continued compliance with\n         Federal and Agency requirements for selected security objectives. The Scope and\n         Methodology section contains the specific security objectives we audited.\n\nScope and Methodology\n         We conducted our field work from March 2005 to July 2005 at EPA Headquarters\n         in Washington, DC, and the National Computer Center (NCC) in Research\n         Triangle Park (RTP), North Carolina. We interviewed Agency officials at both\n         locations and contract employees at the NCC. We reviewed relevant Federal and\n         Agency information security standards. We reviewed application security\n         documentation to determine whether it complied with selected standards. We\n         reviewed system configuration settings and conducted vulnerability testing of\n         servers for known vulnerabilities. We reviewed training records for personnel\n         with significant security responsibilities.\n\n         We reviewed the following security practices for CERCLIS:\n\n              x\t Security Certification and Accreditation (C&A) practices: We\n                 reviewed CERCLIS\xe2\x80\x99 C&A package to determine whether the security\n                 plan was updated and re-approved at least every 3 years and the\n                 application was reauthorized at least every 3 years, as required by OMB\n                 Circular A-130 and EPA policy.\n\n              x\t Application contingency plans: We reviewed CERCLIS\xe2\x80\x99 contingency\n                 planning practices to determine whether OSWER complied with\n                 requirements outlined in EPA Directive 2195A1 (EPA Information\n                 Security Manual), National Institute of Standards and Technology\n                 Special Publication 800-34 (Contingency Planning Guide for\n                 Information Technology Systems), and EPA procedures document\n                 Procedures for Implementing Federal Information Technology Security\n                 Guidance and Best Practices.\n\n              x\t Security controls: We identified two areas of security controls: (1)\n                 system vulnerability monitoring, which included conducting\n                 vulnerability testing; and (2) physical access controls. The NCC\n                 manages the servers that run the CERCLIS application and provides the\n                 primary security controls for the application. Therefore, when\n                 evaluating system vulnerability monitoring, we evaluated practices at the\n                 NCC. We did not test physical security controls at the NCC, because the\n                 NCC was undergoing an audit of these controls at the time of our\n                 review. This audit found instances where EPA could improve its\n\n                                         2\n\n\x0c                  physical controls at RTP and reported the results in Report No.\n                  2006-P-00005, EPA Could Improve Physical Access and Service\n                  Continuity/ Contingency Controls for Financial and Mixed-Financial\n                  Systems Located at its Research Triangle Park Campus, issued\n                  December 14, 2005.\n\n              x\t Annual Training Requirements: We reviewed whether employees\n                 with significant security responsibilities satisfied annual training\n                 requirements.\n\n         We conducted this audit in accordance with Government Auditing Standards,\n         issued by the Comptroller General of the United States.\n\nCERCLIS\xe2\x80\x99 Compliance with Federal and Agency Security\nRequirements\n         We noted CERCLIS\xe2\x80\x99 production servers were being monitored for known\n         vulnerabilities and personnel with significant security responsibility had\n         completed the Agency\xe2\x80\x99s recommended specialized security training. However,\n         our audit (1) disclosed that CERCLIS had deficiencies related to other significant\n         security practices, and (2) highlighted areas where OSWER should place more\n         emphasis to comply with established requirements. In particular, our review\n         noted that CERCLIS contained security weaknesses in the following areas:\n\n              x\t The C&A package \xe2\x80\x93 consisting of a security plan, a third-party risk\n                 assessment, and a written authorization for operation \xe2\x80\x93 had not been\n                 updated in response to recent major system changes.\n\n              x\t The contingency plan had not been updated and tested in response to\n                 recent major system changes.\n\n         Preparing and maintaining an updated C&A package are vital in helping\n         management determine whether effective security controls are in place and work\n         as intended to operate an application. Updating and testing the contingency plan\n         assist management in determining whether the organization could recover from a\n         disruption in service. These two important security controls help ensure the\n         Agency\xe2\x80\x99s network infrastructure is adequately protected. These widely\n         recognized preventive controls aid in reducing the likelihood that security\n         incidents will occur, and by not emphasizing these key security controls, OSWER\n         places the integrity and availability of CERCLIS at risk. In response to these\n         findings, OSWER officials indicated that they have updated the CERCLIS\n         security and contingency plans and have conducted a tabletop exercise of the\n         updated contingency plan.\n\n\n\n\n                                          3\n\n\x0cCertification and Accreditation\n\nOur audit revealed that the CERCLIS system owners had not updated the\napplication security plan, risk assessment, and authorization for operation related\nto a recent major change in processing, as required by Federal and Agency policy.\nDuring our audit, we determined that CERCLIS had undergone a major change in\nprocessing. Specifically, CERCLIS changed from a decentralized application\n(distributed throughout EPA Headquarters and 10 EPA regional offices) to a\ncentralized application (hosted by the NCC in RTP). However, we found that the\nCERCLIS security plan and risk assessment had not been updated, and the system\nhad not been re-authorized for operation related to this \xe2\x80\x9cmajor change\xe2\x80\x9d in\nprocessing.\n\nSenior OSWER officials use these key C&A security documents to make the\ndecision about whether CERCLIS\xe2\x80\x99 security controls are sufficient and if\nadjustments to security controls are necessary before reaccrediting (reauthorizing)\nCERCLIS for continued operation. In addition, the assessment of risk and the\ndevelopment of system security plans are important activities in the Agency\xe2\x80\x99s\ninformation security program that directly support security accreditation\n(management's authorization for system operation). OSWER officials indicated\nthat they have since updated CERCLIS\xe2\x80\x99 security plan to reflect these major\nsystem changes and re-authorized the application. OSWER also indicated that the\nCERCLIS Team Leader would make a determination when the next risk\nassessment is to be scheduled.\n\nContingency Planning\n\nAlthough OSWER had developed and tested a contingency plan for CERCLIS,\nthe program office had not updated the plan to reflect major changes made to the\nsystem. In audit Report No. 2006-P-00005, the OIG reported that CERCLIS\xe2\x80\x99\ncontingency plan did not identify critical resources needed during an outage. The\nOIG was unable to determine whether contracts were in place for the restoration\nof the application. In response to this finding, OSWER officials indicated that\nthey conducted a tabletop exercise of CERCLIS in September 2005. However,\nOSWER officials did not indicate when the office would test the new plan.\n\nAlthough OSWER conducted the tabletop exercise, Federal requirements specify\nthat exercises and tests should be conducted to ensure that the procedures\ncontinue to be effective. In addition, testing of the plan would enable OSWER to\nbecome familiar with the necessary recovery steps and help management identify\nwhere additional emphasis is needed. OSWER officials indicated that the\nCERCLIS contingency plan had since been updated to reflect the changes to the\napplication\xe2\x80\x99s operating environment and completed another tabletop review of the\nnew plan in December 2005.\n\n\n\n\n                                 4\n\n\x0cRecommendations\n         We recommend that the Comprehensive Environmental Response, Compensation,\n         and Liability Information System (CERLIS) System Owner:\n\n            1.\t Conduct an independent review of security controls and a full formal risk\n                assessment of CERCLIS and update the certification and accreditation\n                package in accordance with Federal and Agency requirements,\n\n            2.\t Conduct a test of the updated CERCLIS contingency plan, and\n\n            3.\t Develop a Plan of Action and Milestones in the Agency\xe2\x80\x99s security\n                weakness tracking system (ASSERT database) for all noted deficiencies.\n\n         We recommend that the Office of Solid Waste and Emergency Response\n         (OSWER) Information Security Officer:\n\n            4.\t Conduct a review of OSWER\xe2\x80\x99s current information security oversight\n                processes and implement identified process improvements.\n\nAgency Comments and OIG Evaluation\n\n         OSWER concurred with many of the report\xe2\x80\x99s findings and indicated that the\n         office took or planned steps to remediate the identified weaknesses. OSWER also\n         provided additional details regarding its processes for maintaining the CERCLIS\n         contingency plan and we modified the report to remove the recommendation to\n         develop and implement a plan to maintain the contingency plan. OSWER also\n         indicated that based on actions already taken, no further Plan of Action and\n         Milestones are needed. However, given the resources required to complete the\n         risk assessment and to test a contingency plan, we feel OSWER should record\n         these significant security-planning activities in the Agency\xe2\x80\x99s security tracking\n         system. OSWER\xe2\x80\x99s complete response is included as Appendix A.\n\n\n\n\n                                         5\n\n\x0c                                                                                  Appendix A\n\n                   Agency Response to Draft Report\n\n\nMarch 2, 2006\n\nMEMORANDUM:\n\nSUBJECT:        OSWER Response to Audit Report:\n                Information Security Series: Security Practices of the Comprehensive\n                Environmental Response Compensation Liability Information System\n                (CERCLIS)/Assignment No: 2005-000661\n\nFROM:           Susan Parker Bodine/s/\n                Assistant Administrator\n\nTO:             Rudolph M. Brevard\n                Director, Information Technology Audits\n                Office of Inspector General\n\n        Thank you for the opportunity to respond to the audit report on Information Security\nSeries: Security Practices of the Comprehensive Environmental Response Compensation\nLiability Information System (CERCLIS). We appreciate your efforts to ensure the Agency is in\ncompliance with the Federal Information Security Management Act (FISMA) by conducting\nannual audits of our applications. This memorandum addresses the accuracy of the audit report\nand identifies the corrective actions already initiated to ensure compliance.\n\nRESPONSE TO RECOMMENDATIONS:\n\nThe system owner has provided the following information in response to your recommendations:\n\n1. Update the CERCLIS certification and accreditation package in accordance with Federal and\nAgency requirements by ensuring that (1) the Security Plan is up to date, (2) an independent\nreview of security controls and a full formal risk assessment are performed, and (3) management\nformally reauthorizes CERCLIS for operation.\n\nThe Security plan was updated and signed by the certifying official on 12/23/05 and by the\nauthorizing official on 02/01/06.\n\nThe management, operational and technical security controls for the CERCLIS application are\ntested for effectiveness on a regular basis. The most recent review and independent tests for\neffectiveness of security controls were conducted by Booz Allen Hamilton, with a report\ndelivered to EPA in February 2004. The risk assessment included documentation reviews,\n\n                                                6\n\n\x0cmanual and automated assessments of both computer hardware and software, which support the\nCERCLIS application. The risk assessment involved evaluating management, technical, and\nadministrative controls already implemented. The elements of risk (threat, vulnerability,\ncountermeasures, and impact) were evaluated as well.\n\nIn addition to the risk assessment, CERCLIS performs weekly and monthly reviews of all audit\nreports and logs. User accounts are reviewed quarterly to ensure accounts are valid. A\ndetermination is made regarding access to the system based on pre-determined roles and\nuser/member groups. Accounts are reviewed to ensure users have taken the required annual\nsecurity training. Accounts are deleted if they have not been active within ninety days.\nConsequences for violating access privileges and the Rules of Behavior are taken seriously; user\nids are removed or suspended for violations. Quarterly reviews of management and operational\ncontrols are a part of the standard operating procedures for the CERCLIS application.\n\nCERCLIS is moving away from performing a major risk assessment every three years to\ncontinuous monitoring of the application. Areas of focus are the management and control of its\nhardware, and performing security impact analysis. The agency has several IT security tools\napproved for use, licensed by EPA and available to Information Security Officers, System\nAdministrators, and Local Area Network (LAN) Managers and Administrators to help protect IT\nassets. The CERCLIS Team Leader will make a determination when the next risk assessment is\nto be scheduled.\n\n2. Conduct a test of the updated CERCLIS contingency plan.\n\nOSRTI conducted the recommended test of the updated CERCLIS contingency plan on\nDecember 17, 2005.\n\n3. Develop and implement a process to test and maintain the CERCLIS contingency plan. The\nprocess should ensure the plan is tested at least annually and that the plan is updated whenever\nsignificant changes occur to the system, supported business processes, key personnel, or to the\ncontingency plan itself.\n\nOver the past year, the Office of Superfund Remediation and Technology Innovation (OSRTI)\nhas worked closely with EPA\xe2\x80\x99s National Computing Center (NCC) to centralize the CERCLIS\nRegional databases. As a follow-up to this work, the Contingency Plan for CERCLIS was\nrevised in September 2005. Furthermore, a coordinated effort with the NCC has taken place to\nperform a table-top review of the CERCLIS application. The tabletop review was tested with\nparticipation and concurrence by the NCC on December 17, 2005. In complying with Agency\nstandards, OSRTI has used the two National Institute of Standards and Technology (NIST)\ndocuments which focus specifically on contingency planning and testing. The first NIST\ndocument (NIST 800-84, Guide to Single-Organization IT Exercises) describes the procedures\nfor the table-top review. The second document (NIST 800-34, Contingency Planning Guide for\nInformation Technology Systems) describes in detail how to write a Contingency Plan.\n\n\n\n\n                                                7\n\n\x0c4. Develop a Plan of Action and Milestone in the Agency\xe2\x80\x99s security weakness tracking system\n(ASSERT database) for all noted deficiencies.\n\nBased on actions already taken as noted above, no further action is required because the noted\ndeficiencies have been addressed.\n\n5. Develop and implement a plan to re-evaluate system security oversight processes to ensure the\nabove recommendations are uniformly applied to all general support systems and major\napplications within OSWER.\n\nThe OSWER Information Security Officer (ISO), in coordination with and supported by the\nSenior Information Official (SIO) and Information Management Officer (IMO), oversees a\ncoordinated review of all OSWER systems annually with ongoing monitoring of major security\nmilestones throughout the year. OSWER uses the Agency\xe2\x80\x99s ASSERT System to manage this\nprocess. Self-assessments occur annually and Plan of Actions and Milestones are generated to\nensure changes or needed processes are addressed. OSWER\xe2\x80\x99s security status, as recorded in\nASSERT, is independently audited by the Office of Environmental Information.\n\nPlease feel free to contact Robert King at 703.603.8792 or William Bushee at 703.603.8963, if\nyou have any questions or need additional information.\n\ncc:    \tRenee Wynn\n       Kevin Phelps\n       Paula Rodriguez\n       Michael B. Cook\n       Joan Harrigan-Farrelly\n       Patricia Gowland\n\n\n\n\n                                                8\n\n\x0c                                                                            Appendix B\n\n                                   Distribution\n\nOffice of the Administrator\nAssistant Administrator for Solid Waste and Emergency Response\nActing Assistant Administrator for Environmental Information\nActing Director, Technology and Information Security Staff\nAudit Followup Coordinator, Office of Solid Waste and Emergency Response\nAudit Followup Coordinator, Technology and Information Security Staff\nAgency Followup Official (the CFO)\nAgency Followup Coordinator\nGeneral Counsel\nAssociate Administrator for Congressional and Intergovernmental Relations\nAssociate Administrator for Public Affairs\nActing Inspector General\n\n\n\n\n                                            9\n\n\x0c"